Comment 3 for bug 401931

I just noticed that if the parent profile is in complain mode and the child profile is in enforce mode, it doesn't error out with permission denied, but also does honor the enforcing profiles rules.

Eg:
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <time.h>
#include <limits.h>
#include <stdarg.h>
#include <sys/apparmor.h>

int main(int argc, char *argv[]) {
    char *profile_name = "foo";
    int fd;

    if (aa_change_profile(profile_name) != 0) {
        perror("could not change profile");
        exit(1);
    }

    if ((fd = open("/tmp/foo", O_CREAT|O_TRUNC, 0644)) == -1) {
        printf("confined\n");
        exit(0);
    }
    printf("unconfined\n");
    close(fd);

    exit(1);
}

$ cd /tmp
$ gcc -lapparmor ./foo.c

$ cat /etc/apparmor.d/tmp.a.out
#include <tunables/global>

/tmp/a.out flags=(complain) {
  #include <abstractions/base>
  /** rwmkl,

  change_profile -> foo,
}

profile foo {
  /** rwmkl,
  audit deny /tmp/foo rw,
}

$ ./a.out
unconfined
[1]
$ ls -l /tmp/foo
-rw-r--r-- 1 jamie jamie 0 2009-08-05 16:56 /tmp/foo

Using the following profile:
$ cat /etc/apparmor.d/tmp.a.out
#include <tunables/global>

/tmp/a.out {
  #include <abstractions/base>
  /** rwmkl,

  change_profile -> foo,
}

profile foo {
  /** rwmkl,
  audit deny /tmp/foo rw,
}

$ /tmp/a.out
could not change profile: Permission denied
[1]